Solvency II: Data Governance « In the Race for Quality, There Is No Finishing Line »
Beyond demonstrating once again the virtues, importance and central role of IT data quality for insurers, the purpose here is to identify what impact the Solvency II directive has when it regulates the governance and the quality of all IT data entering into risk measurement.
DATA QUALITY, THE REGULATORY REQUIREMENTS
Solvency II forms part of an environment which is already rich and diversified as regards controls and auditing of insurance activity. By shifting the prism of financial analysis from the accounting field to the economic field, the directive enlarges the perimeter of the insurer's strategic data.
In this context, the qualitative contribution made by Solvency II takes several forms :
• The directive defines its prerogatives at the level of « the data » and of the « sets of source data » and not solely at the level of « reworked and presentable » financial information. This is about the quality and the mastering of the source IT data which go into the calculations of risk projection and provisioning models.
• The reversal of the burden of proof : the insurer must certainly supply financial information which is « economic » and in accordance with « European » norms and formats, but it must also be able to prove that it is based on data which is checked, of high quality and properly produced.
• Finally, Solvency II is one of the first forms of regulation of the sector which strives to describe precise assessment criteria for the quality of IT data ; they will have to be exact, exhaustive and appropriate (relevant).
These changes are accompanied by the fixing of sanctions linked to good governance : it seems to be a question of a Capital Add-on request (requirement of supplementary own funds) in the case of the lack of quality of the performed reporting being demonstrated and/or of a reserved opinion on the approval of the internal model being issued. How it works precisely should become clearer with experience…
It can be noted that the fixing of these sanctions being accompanied by a desire for transparency with regard to the market and the general public, a mere reservation will be capable of significantly increasing the image and reputation risk amongst investors (quoted rating companies…).
These imposed qualitative criteria are the responsibility of insurers and will have to be integrated into the operational and technical management of the business.
Far from being a major revolution for « quality specialist » practitioners and experts in general assigned to the functional teams of IT departments, the qualitative criteria given by the directive have the merit of being shared and understandable by everyone.
THE GOVERNANCE MECHANISM : WHO IS RESPONSIBLE FOR QUALITY ?
In as much as the directive redefines the roles of the central risk management functions within the company, we could imagine that data governance and responsibility for their quality are clearly allocated. The directive remains imprecise on this subject : the debates between the Prudential Supervision Authority (« ACP ») and the insurers in 2012 aimed at identifying who will check the large amount of information transmitted to the supervisory authorities are quite revealing on this subject** even if they concern only the final, pillar III reporting.
On notera tout de même que l’article 46 de la directive précise le rôle du contrôle interne : il exige un système de contrôle interne et de gouvernance approprié et complet, cohérent, couvrant notamment les informations traitées dans le cadre de la maîtrise des risques, du pilotage de la solvabilité et de son reporting.
specifies the role of internal checking : it requires an appropriate and comprehensive system of internal checking and governance which is consistent, covering notably the information processed in the framework of the mastering of risks, solvency management and the reporting of it.
As for the Risks actuary, he must be capable « of assessing the adequacy and the quality of the data used in the calculation of the technical provisions » (Art. 48).
Nothing is therefore very explicit in the directive on this subject. It can nevertheless be affirmed that « in the spirit of the directive », data quality can no longer be almost exclusively a matter for the IT department. The subject must from now on also be capable of being heard, understood and interpreted by the business functions key to risk governance.
Moreover, the main French insurers are moving in this direction by implicating operational management in this subject. This is about supplementing a qualitative vision, based on operational efficiency, with a « risk » vision of data quality.
One of the appropriate responses will be to allow a central role for quality governance in the organization to emerge clearly : the Data Quality Manager. This function must be able to rely on operational « quality advisors » who must have legitimacy and be capable of clearly identifying, and remedying, the limits of their data management perimeters by engaging in dialogue with the other Departments concerned by the subject of data quality (IT Department, cross-cutting Services, business-function Departments,…)
The Data Quality Manager's role will thus be :
• To analyze the data quality assessments performed in connection with Solvency II
• To validate the plans for the remediation of identified anomalies
• To monitor the business's action plans concerning quality
• To coordinate the network of quality advisors
• To communicate within the business and to the outside world (supervisory authorities, market…) on the subject of « quality »
• To ensure that documentation linked to quality be updated.
This role will be rooted at the heart of the risk management system, by having the means to make all of the business's players aware of the issues surrounding quality and the gains brought by it.
The purpose of Solvency II is not to address all of insurers' quality problems, but the directive has the merit of setting down a risk governance framework which includes the mastering of data quality from end to end as an important condition of their solvency.
The deliverables of Solvency II linked to quality
Being indispenable for the certification of the internal model, the reversal of the burden of proof should incite numerous insurers to accomplish these deliverables in order to prove the quality of the economic results stemming from the standard model.
We have identified :
• The description of the application and functional architecture
• A data dictionary indicating the routing of each piece of data through to final reporting
• A repository of checking standards applying to data (with the 3 qualitative criteria : exactness, exhaustivity and relevance)
• A documented checking sheet reproducing the information checked will have to be generated for each transmission of data
• A qualification file assessing quality and formalizing the different checks and results obtained The last two points will notably require detailed consideration by most insurers : to provide input for the file, it will be necessary to put in place a dynamic auditing trail along the full length of the data processing value chain.
Putting concepts of quality into practice means having a precise vision of all of the strata of the organization and of the functional and application architecture of the business.
The overall Solvency II programme approach in an insurer must therefore take into account explicitly all actions linked to data quality.
In this respect, the detailed studies of source data and of Model Point input undertaken at insurers (pillar I Studies) will be a good starting point.
The supplemental objectives to work on will then be the following :
• To define, for each perimeter of data concerned (for liabilities, like for assets) the criteria and the appropriate quality strategy
• To prioritize actions by measuring the impact of measured quality levels on the calculation of risks
• To integrate the roles and responsibilities relating to data quality into the implementation of risk governance
• To formalize and master the data value chain within the « BI processes » of the business
• To utilize and document the checks in place (the implementation of a cross-cutting data quality « repository » will be an almost unavoidable aspect of this)
• To put in place new checks, for each « flow » of data and also between reporting statements produced in accordance with EV / IFRS /… norms and those produced for Solvency II.
Within the insurance profession it will be more and more necessary to have a comprehensive and crosscutting vision of one's « quality maturity », the drivers for improving it being numerous and rarely effective in isolation. For this type of long-term approach, depending on the situations, it will be necessary to identify carefully the series of coordinated measures and improvements which will significantly increase the insurer's data quality.
The insurance world has been convinced for a long time that elevating the immaterial assets constituted by its data to a high level of effectiveness gives a competitive advantage.
In this respect, beyond being a regulatory, legal and financial constraint, data quality will have to become part of the heart of business culture and remain there.